PatchSiren cyber security CVE debrief
CVE-2024-11139 Schneider Electric CVE debrief
A memory buffer boundary violation (CWE-119) in Schneider Electric EcoStruxure Power Build Rapsody allows local attackers to potentially execute arbitrary code when a malicious project file is opened. The vulnerability affects multiple localized versions of the engineering software used for electrical distribution design. CISA published advisory ICSA-25-023-05 on January 14, 2025, with a significant update on May 13, 2025, adding remediation for the international (INT) version and correcting affected product details. Vendor fixes are now available for all affected version branches.
- Vendor
- Schneider Electric
- Product
- EcoStruxure Power Build Rapsody
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-14
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-01-14
- Advisory updated
- 2025-05-13
Who should care
Engineering workstations running EcoStruxure Power Build Rapsody for electrical distribution design, particularly in critical infrastructure environments. Asset owners in energy, manufacturing, and building automation sectors using affected versions should prioritize patching during maintenance windows.
Technical summary
The vulnerability is a classic buffer overflow (CWE-119) in the project file parsing component of EcoStruxure Power Build Rapsody. Attackers can craft malicious project files that, when opened by a local user, trigger improper memory operations leading to potential arbitrary code execution with the privileges of the user running the application. The attack vector requires local access (AV:L) and user interaction (UI:R) to open the malicious file. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, scoring 5.3 (Medium). Multiple language-specific versions are affected: Dutch (NL) through v2.5.2, French (FR) through v2.7.1, Spanish (ES) through v2.7.5, and International (INT) through v2.6.4. Remediation was released in stages: NL v2.7.2, FR v2.7.12, and ES v2.7.52 were available at initial disclosure; INT v2.8.4 was added in the May 13, 2025 update. All fixes require system restart after installation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor patches: NL v2.7.2, FR v2.7.12, ES v2.7.52, or INT v2.8.4 depending on your installed version, and reboot the system after installation.
- If patching is not immediately possible, only open project files from trusted sources, scan all externally created projects with malware detection tools, encrypt project files at rest with access restricted to trusted
- When exchanging project files over networks, use secure communication protocols and verify file integrity using cryptographic hashes before use.
- Subscribe to Schneider Electric's security notification service to receive updates on affected products and remediation plans.
Evidence notes
CVE published 2025-01-14; modified 2025-05-13 to add remediation for INT version v2.8.4 and correct affected products table. CVSS 5.3 (Medium) per source. Not listed in CISA KEV.
Official resources
-
CVE-2024-11139 CVE record
CVE.org
-
CVE-2024-11139 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public